Opinions are like a%$*oles, everyone has them and they're usually full of &amp;*it! Argue with our Opinion writers or add your own. Who knows... a great opinion post could land you a featured opinion article!

For years I've mostly been reading about network security, but now I feel I want to dive into application security some (a lot) more.

I've been chatting up with a friend of mine from a distant land, who does a lot of application security auditing, and who is quite active with OWASP.He recommended WebGoat to me, as a good starting point.

It certainly seems an interesting piece of software to practice on, but just to make sure, I wanted to ask around here for opinions: did you do the lessons of WebGoat, and did you learn a thing or two from them?Remember: I am a complete newbie in the field of appsec, however I have a fair bit of programming experience, which I hope will help to get in the right state of mind.

If it might be useful, I'm thinking of writing a little piece about my experiences with WebGoat once I'm going for it. As far as I can find, there is not such article on EHN yet?

WebGoat is a great learning tool and I can recommend it especially to those who have only little or no experience in this area. Intermediates should be able to learn and practice some new techniques as well. The learning curve is manageable and the scenarios are legit. As there are solutions included as well, one should be able to get through it and understand the concepts. You also have the possibility to create your own scenarios too, which is a nice feature as well.

Setup is very straightforward, so just try it out and decide for yourself.

Last edited by UNIX on Mon Mar 22, 2010 6:17 am, edited 1 time in total.

Being a programmer too, I also think Webgoat is good for doing an one hour demo to the other developers. Once you have gone through the exercises and understood them, you can decide to put it on a laptop and and demonstrate the main attacks to the others. I found this very effective to make the other developers realize the importance of validating user input, etc.

I agree that webgoat is an excellent learning and teaching tool. If you are not comfortable setting it up on your own, I would suggest taking a look at the owaspbwa virtual image from http://code.google.com/p/owaspbwa/, which includes not only the latest version of webgoat, but also a number of other preconfigured web security learning apps like damn vulnerable web app and Mutillidae.

digitalcliff wrote:I agree that webgoat is an excellent learning and teaching tool. If you are not comfortable setting it up on your own, I would suggest taking a look at the owaspbwa virtual image from http://code.google.com/p/owaspbwa/, which includes not only the latest version of webgoat, but also a number of other preconfigured web security learning apps like damn vulnerable web app and Mutillidae.

good info! is this the same as the OWASP liveCD? or does this contain extra functionality?

CISSP, CEH, ECSA, OSCP, OSWP, eCPPT, eWAPT

earning my stripes appears to be a road i must travel alone...with a little help of EH.net

These contain both tools like w3af, burp suite, sqlmap and vulnerable apps such as DVWA, Mutillidae, HacMe Casino and others. Therefore providing both the tools and apps to get familiar with web app testing.

I used this free evening to get starting with WebGoat, and I'm already getting hooked :-)I'll write my first little piece, concerning the first steps and the first lessons, asap. This way I can get some guidelines from you guys early in the process.InfoSecurity.be event tomorrow and the day after though, so not sure about the exact eta.

It's turning out to be a magnificent security-oriented week for me, with getting to know EHN and going to my first conference :-) I love it!